Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Pete Finnigan is now an Oracle ACE"] [Next entry: "get_tab2.sql - Free Tool to show Privileges on an Object Updated"]

What Are NULL pname entries in v$process?



I got a message on Linked In today from Jijo who asked why when he queries v$process are some of the PNAME column values NULL. I have a simple script vproc.sql that I use when analysing databases for many years for security issues. The script available here gives the high level details for each session. We have another script that gives everything for every session and process where we do forensic analysis of Oracle databases that may have been breached (or have in fact been breached). We get more and more work in this area (unfortunately for the customers) where we are asked to do live analysis of a database that is felt to have been attached and more often we do static analysis (after the fact) of a database that has been breached some time ago.

Forensic analysis or incident response for Oracle databases is becoming very important BUT not as important as securing your data in advance of a breach to prevent it OR ensuring that you have adequate audit trails setup in advance to capture an attack.

The output from the script vproc.sql shows:


SQL> @vproc

SID SERIAL# USERNAME OSUSER PNAME TERMINAL MACHINE PORT PROCPROG SESSPROG B
----- ------- ---------- ---------- ---------- ---------- ------------------------- ------ ----------------------------------- --------------------------------------------- -
1 41159 oracle oracle PMON UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (PMON) oracle@oel7.localdomain (PMON) B
238 61512 oracle oracle CLMN UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (CLMN) oracle@oel7.localdomain (CLMN) B
2 30618 oracle oracle PSP0 UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (PSP0) oracle@oel7.localdomain (PSP0) B
239 54869 oracle oracle VKTM UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (VKTM) oracle@oel7.localdomain (VKTM) B
3 4943 oracle oracle GEN0 UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (GEN0) oracle@oel7.localdomain (GEN0) B
240 44338 oracle oracle MMAN UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (MMAN) oracle@oel7.localdomain (MMAN) B
11 41222 oracle oracle SMON UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (SMON) oracle@oel7.localdomain (SMON) B
241 48205 oracle oracle GEN1 UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (GEN1) oracle@oel7.localdomain (GEN1) B
5 28558 oracle oracle SCMN UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (SCMN) oracle@oel7.localdomain (SCMN) B
242 36406 oracle oracle DIAG UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (DIAG) oracle@oel7.localdomain (DIAG) B
6 51574 oracle oracle OFSD UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (OFSD) oracle@oel7.localdomain (OFSD) B
243 48466 oracle oracle SCMN UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (SCMN) oracle@oel7.localdomain (SCMN) B
7 16054 oracle oracle DBRM UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (DBRM) oracle@oel7.localdomain (DBRM) B
244 13590 oracle oracle VKRM UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (VKRM) oracle@oel7.localdomain (VKRM) B
8 58188 oracle oracle SVCB UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (SVCB) oracle@oel7.localdomain (SVCB) B
245 790 oracle oracle PMAN UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (PMAN) oracle@oel7.localdomain (PMAN) B
9 16947 oracle oracle DIA0 UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (DIA0) oracle@oel7.localdomain (DIA0) B
246 22744 oracle oracle DBW0 UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (DBW0) oracle@oel7.localdomain (DBW0) B
10 27816 oracle oracle LGWR UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (LGWR) oracle@oel7.localdomain (LGWR) B
247 49432 oracle oracle CKPT UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (CKPT) oracle@oel7.localdomain (CKPT) B
4 21723 oracle oracle LG00 UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (LG00) oracle@oel7.localdomain (LG00) B
248 18011 oracle oracle LG01 UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (LG01) oracle@oel7.localdomain (LG01) B
12 26869 oracle oracle SMCO UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (SMCO) oracle@oel7.localdomain (SMCO) B
249 32114 oracle oracle RECO UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (RECO) oracle@oel7.localdomain (RECO) B
34 9377 oracle pxf UNKNOWN Peters-MacBook-Pro.local 55071 oracle@oel7.localdomain sqlplus@Peters-MacBook-Pro.local (TNS V1-V3) F
250 2896 oracle oracle LREG UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (LREG) oracle@oel7.localdomain (LREG) B
35 1177 oracle oracle UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (TNS V1-V3) sqlplus@oel7.localdomain (TNS V1-V3) F
251 18917 oracle oracle PXMN UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (PXMN) oracle@oel7.localdomain (PXMN) B
17 31463 oracle oracle MMNL UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (MMNL) oracle@oel7.localdomain (MMNL) B
252 16226 oracle oracle MMON UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (MMON) oracle@oel7.localdomain (MMON) B
18 26484 oracle oracle TMON UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (TMON) oracle@oel7.localdomain (TMON) B
262 58041 oracle oracle QM02 UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (QM02) oracle@oel7.localdomain (QM02) B
19 37134 oracle oracle TT00 UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (TT00) oracle@oel7.localdomain (TT00) B
255 63272 oracle oracle TT01 UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (TT01) oracle@oel7.localdomain (TT01) B
20 28933 oracle oracle TT02 UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (TT02) oracle@oel7.localdomain (TT02) B
256 3862 oracle oracle AQPC UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (AQPC) oracle@oel7.localdomain (AQPC) B
22 53389 oracle oracle CJQ0 UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (CJQ0) oracle@oel7.localdomain (CJQ0) B
259 18082 oracle oracle Q001 UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (Q001) oracle@oel7.localdomain (Q001) B
13 44347 oracle oracle W003 UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (W003) oracle@oel7.localdomain (W003) B
260 61261 oracle oracle W002 UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (W002) oracle@oel7.localdomain (W002) B
27 39265 oracle oracle Q003 UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (Q003) oracle@oel7.localdomain (Q003) B
26 6270 oracle oracle W006 UNKNOWN oel7.localdomain 0 oracle@oel7.localdomain (W006) oracle@oel7.localdomain (W006) B

42 rows selected.

SQL>


As you (and the questioner) can see the PNAME column from v$process for two of the processes is NULL. These lines are SID/SERIAL# 34/9377 and 35/1177. As you can see these are the only lines that are for FOREGROUND processes and are also are the only lines where the PROGRAM is sqlplus. One is a connection to the 12.2.0.1 database as SYSDBA from the server and one is a connection as SYSDBA from a client PC (MacBook). So the answer of why PNAME is NULL is that these are the processes that are not BACKGROUND processes.

If anyone would like to connect to me on linked in, Facebook, twitter and youtube then please see the links in the footer of this and every page of this blog and please follow, connect, like, etc.